bitbake: toastergui: fix XSS injection points in projects page

We close XSS injection points in Projects page.

* modify the json filter to properly escape HTML tags in strings
* enable $sanitize to automatically sanitize dangerous HTML in
user-supplied input
* clean dangerous characters in targets field, as that field contents
will be directly passed to a shell command

Based on the vulnerability discovered and the patch provided by Michael Wood.

(Bitbake rev: 23c440db9c076ca37e651bdbbdbefee54998e1dc)

Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/lib/toaster/toastergui/templates/project.html

@@ -11,6 +11,8 @@ vim: expandtab tabstop=2
 <script src="{% static "js/angular.min.js" %}"></script>
 <script src="{% static "js/angular-animate.min.js" %}"></script>
 <script src="{% static "js/angular-cookies.min.js" %}"></script>
+<script src="{% static "js/angular-route.min.js" %}"></script>
+<script src="{% static "js/angular-sanitize.min.js" %}"></script>
 <script src="{% static "js/ui-bootstrap-tpls-0.11.0.js" %}"></script>
 
 
@@ -365,13 +367,13 @@ angular.element(document).ready(function() {
   scope.urls.layers = "{% url 'layers' %}";
   scope.urls.targets = "{% url 'targets' %}";
   scope.urls.importlayer = "{% url 'importlayer'%}"
-  scope.project = {{prj|safe}};
-  scope.builds = {{builds|safe}};
-  scope.layers = {{layers|safe}};
-  scope.targets = {{targets|safe}};
-  scope.frequenttargets = {{freqtargets|safe}};
-  scope.machine = {{machine|safe}};
-  scope.releases = {{releases|safe}};
+  scope.project = {{prj|json}};
+  scope.builds = {{builds|json}};
+  scope.layers = {{layers|json}};
+  scope.targets = {{targets|json}};
+  scope.frequenttargets = {{freqtargets|json}};
+  scope.machine = {{machine|json}};
+  scope.releases = {{releases|json}};
 
   var now = (new Date()).getTime();
   scope.todaydate = now - (now % 86400000);